1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 1994 Linus Torvalds
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
11 #include <linux/init.h>
12 #include <linux/utsname.h>
13 #include <linux/cpu.h>
14 #include <linux/module.h>
15 #include <linux/nospec.h>
16 #include <linux/prctl.h>
17 #include <linux/sched/smt.h>
19 #include <asm/spec-ctrl.h>
20 #include <asm/cmdline.h>
22 #include <asm/processor.h>
23 #include <asm/processor-flags.h>
24 #include <asm/fpu/internal.h>
27 #include <asm/paravirt.h>
28 #include <asm/alternative.h>
29 #include <asm/pgtable.h>
30 #include <asm/set_memory.h>
31 #include <asm/intel-family.h>
32 #include <asm/e820/api.h>
34 static void __init
spectre_v2_select_mitigation(void);
35 static void __init
ssb_select_mitigation(void);
36 static void __init
l1tf_select_mitigation(void);
38 /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
39 u64 x86_spec_ctrl_base
;
40 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base
);
41 static DEFINE_MUTEX(spec_ctrl_mutex
);
44 * The vendor and possibly platform specific bits which can be modified in
47 static u64 __ro_after_init x86_spec_ctrl_mask
= SPEC_CTRL_IBRS
;
50 * AMD specific MSR info for Speculative Store Bypass control.
51 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
53 u64 __ro_after_init x86_amd_ls_cfg_base
;
54 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask
;
56 /* Control conditional STIBP in switch_to() */
57 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp
);
58 /* Control conditional IBPB in switch_mm() */
59 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb
);
60 /* Control unconditional IBPB in switch_mm() */
61 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb
);
63 /* Control MDS CPU buffer clear before returning to user space */
64 DEFINE_STATIC_KEY_FALSE(mds_user_clear
);
65 EXPORT_SYMBOL_GPL(mds_user_clear
);
66 /* Control MDS CPU buffer clear before idling (halt, mwait) */
67 DEFINE_STATIC_KEY_FALSE(mds_idle_clear
);
68 EXPORT_SYMBOL_GPL(mds_idle_clear
);
70 void __init
check_bugs(void)
75 * identify_boot_cpu() initialized SMT support information, let the
78 cpu_smt_check_topology_early();
80 if (!IS_ENABLED(CONFIG_SMP
)) {
82 print_cpu_info(&boot_cpu_data
);
86 * Read the SPEC_CTRL MSR to account for reserved bits which may
87 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
88 * init code as it is not enumerated and depends on the family.
90 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL
))
91 rdmsrl(MSR_IA32_SPEC_CTRL
, x86_spec_ctrl_base
);
93 /* Allow STIBP in MSR_SPEC_CTRL if supported */
94 if (boot_cpu_has(X86_FEATURE_STIBP
))
95 x86_spec_ctrl_mask
|= SPEC_CTRL_STIBP
;
97 /* Select the proper spectre mitigation before patching alternatives */
98 spectre_v2_select_mitigation();
101 * Select proper mitigation for any exposure to the Speculative Store
102 * Bypass vulnerability.
104 ssb_select_mitigation();
106 l1tf_select_mitigation();
110 * Check whether we are able to run this kernel safely on SMP.
112 * - i386 is no longer supported.
113 * - In order to run on anything without a TSC, we need to be
114 * compiled for a i486.
116 if (boot_cpu_data
.x86
< 4)
117 panic("Kernel requires i486+ for 'invlpg' and other features");
119 init_utsname()->machine
[1] =
120 '0' + (boot_cpu_data
.x86
> 6 ? 6 : boot_cpu_data
.x86
);
121 alternative_instructions();
123 fpu__init_check_bugs();
124 #else /* CONFIG_X86_64 */
125 alternative_instructions();
128 * Make sure the first 2MB area is not mapped by huge pages
129 * There are typically fixed size MTRRs in there and overlapping
130 * MTRRs into large pages causes slow downs.
132 * Right now we don't do that with gbpages because there seems
133 * very little benefit for that case.
136 set_memory_4k((unsigned long)__va(0), 1);
141 x86_virt_spec_ctrl(u64 guest_spec_ctrl
, u64 guest_virt_spec_ctrl
, bool setguest
)
143 u64 msrval
, guestval
, hostval
= x86_spec_ctrl_base
;
144 struct thread_info
*ti
= current_thread_info();
146 /* Is MSR_SPEC_CTRL implemented ? */
147 if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL
)) {
149 * Restrict guest_spec_ctrl to supported values. Clear the
150 * modifiable bits in the host base value and or the
151 * modifiable bits from the guest value.
153 guestval
= hostval
& ~x86_spec_ctrl_mask
;
154 guestval
|= guest_spec_ctrl
& x86_spec_ctrl_mask
;
156 /* SSBD controlled in MSR_SPEC_CTRL */
157 if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD
) ||
158 static_cpu_has(X86_FEATURE_AMD_SSBD
))
159 hostval
|= ssbd_tif_to_spec_ctrl(ti
->flags
);
161 /* Conditional STIBP enabled? */
162 if (static_branch_unlikely(&switch_to_cond_stibp
))
163 hostval
|= stibp_tif_to_spec_ctrl(ti
->flags
);
165 if (hostval
!= guestval
) {
166 msrval
= setguest
? guestval
: hostval
;
167 wrmsrl(MSR_IA32_SPEC_CTRL
, msrval
);
172 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
173 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
175 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD
) &&
176 !static_cpu_has(X86_FEATURE_VIRT_SSBD
))
180 * If the host has SSBD mitigation enabled, force it in the host's
181 * virtual MSR value. If its not permanently enabled, evaluate
182 * current's TIF_SSBD thread flag.
184 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE
))
185 hostval
= SPEC_CTRL_SSBD
;
187 hostval
= ssbd_tif_to_spec_ctrl(ti
->flags
);
189 /* Sanitize the guest value */
190 guestval
= guest_virt_spec_ctrl
& SPEC_CTRL_SSBD
;
192 if (hostval
!= guestval
) {
195 tif
= setguest
? ssbd_spec_ctrl_to_tif(guestval
) :
196 ssbd_spec_ctrl_to_tif(hostval
);
198 speculation_ctrl_update(tif
);
201 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl
);
203 static void x86_amd_ssb_disable(void)
205 u64 msrval
= x86_amd_ls_cfg_base
| x86_amd_ls_cfg_ssbd_mask
;
207 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD
))
208 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL
, SPEC_CTRL_SSBD
);
209 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD
))
210 wrmsrl(MSR_AMD64_LS_CFG
, msrval
);
214 #define pr_fmt(fmt) "Spectre V2 : " fmt
216 static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init
=
219 static enum spectre_v2_user_mitigation spectre_v2_user __ro_after_init
=
220 SPECTRE_V2_USER_NONE
;
222 #ifdef CONFIG_RETPOLINE
223 static bool spectre_v2_bad_module
;
225 bool retpoline_module_ok(bool has_retpoline
)
227 if (spectre_v2_enabled
== SPECTRE_V2_NONE
|| has_retpoline
)
230 pr_err("System may be vulnerable to spectre v2\n");
231 spectre_v2_bad_module
= true;
235 static inline const char *spectre_v2_module_string(void)
237 return spectre_v2_bad_module
? " - vulnerable module loaded" : "";
240 static inline const char *spectre_v2_module_string(void) { return ""; }
243 static inline bool match_option(const char *arg
, int arglen
, const char *opt
)
245 int len
= strlen(opt
);
247 return len
== arglen
&& !strncmp(arg
, opt
, len
);
250 /* The kernel command line selection for spectre v2 */
251 enum spectre_v2_mitigation_cmd
{
254 SPECTRE_V2_CMD_FORCE
,
255 SPECTRE_V2_CMD_RETPOLINE
,
256 SPECTRE_V2_CMD_RETPOLINE_GENERIC
,
257 SPECTRE_V2_CMD_RETPOLINE_AMD
,
260 enum spectre_v2_user_cmd
{
261 SPECTRE_V2_USER_CMD_NONE
,
262 SPECTRE_V2_USER_CMD_AUTO
,
263 SPECTRE_V2_USER_CMD_FORCE
,
264 SPECTRE_V2_USER_CMD_PRCTL
,
265 SPECTRE_V2_USER_CMD_PRCTL_IBPB
,
266 SPECTRE_V2_USER_CMD_SECCOMP
,
267 SPECTRE_V2_USER_CMD_SECCOMP_IBPB
,
270 static const char * const spectre_v2_user_strings
[] = {
271 [SPECTRE_V2_USER_NONE
] = "User space: Vulnerable",
272 [SPECTRE_V2_USER_STRICT
] = "User space: Mitigation: STIBP protection",
273 [SPECTRE_V2_USER_STRICT_PREFERRED
] = "User space: Mitigation: STIBP always-on protection",
274 [SPECTRE_V2_USER_PRCTL
] = "User space: Mitigation: STIBP via prctl",
275 [SPECTRE_V2_USER_SECCOMP
] = "User space: Mitigation: STIBP via seccomp and prctl",
278 static const struct {
280 enum spectre_v2_user_cmd cmd
;
282 } v2_user_options
[] __initdata
= {
283 { "auto", SPECTRE_V2_USER_CMD_AUTO
, false },
284 { "off", SPECTRE_V2_USER_CMD_NONE
, false },
285 { "on", SPECTRE_V2_USER_CMD_FORCE
, true },
286 { "prctl", SPECTRE_V2_USER_CMD_PRCTL
, false },
287 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB
, false },
288 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP
, false },
289 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB
, false },
292 static void __init
spec_v2_user_print_cond(const char *reason
, bool secure
)
294 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2
) != secure
)
295 pr_info("spectre_v2_user=%s forced on command line.\n", reason
);
298 static enum spectre_v2_user_cmd __init
299 spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd
)
305 case SPECTRE_V2_CMD_NONE
:
306 return SPECTRE_V2_USER_CMD_NONE
;
307 case SPECTRE_V2_CMD_FORCE
:
308 return SPECTRE_V2_USER_CMD_FORCE
;
313 ret
= cmdline_find_option(boot_command_line
, "spectre_v2_user",
316 return SPECTRE_V2_USER_CMD_AUTO
;
318 for (i
= 0; i
< ARRAY_SIZE(v2_user_options
); i
++) {
319 if (match_option(arg
, ret
, v2_user_options
[i
].option
)) {
320 spec_v2_user_print_cond(v2_user_options
[i
].option
,
321 v2_user_options
[i
].secure
);
322 return v2_user_options
[i
].cmd
;
326 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg
);
327 return SPECTRE_V2_USER_CMD_AUTO
;
331 spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd
)
333 enum spectre_v2_user_mitigation mode
= SPECTRE_V2_USER_NONE
;
334 bool smt_possible
= IS_ENABLED(CONFIG_SMP
);
335 enum spectre_v2_user_cmd cmd
;
337 if (!boot_cpu_has(X86_FEATURE_IBPB
) && !boot_cpu_has(X86_FEATURE_STIBP
))
340 if (cpu_smt_control
== CPU_SMT_FORCE_DISABLED
||
341 cpu_smt_control
== CPU_SMT_NOT_SUPPORTED
)
342 smt_possible
= false;
344 cmd
= spectre_v2_parse_user_cmdline(v2_cmd
);
346 case SPECTRE_V2_USER_CMD_NONE
:
348 case SPECTRE_V2_USER_CMD_FORCE
:
349 mode
= SPECTRE_V2_USER_STRICT
;
351 case SPECTRE_V2_USER_CMD_PRCTL
:
352 case SPECTRE_V2_USER_CMD_PRCTL_IBPB
:
353 mode
= SPECTRE_V2_USER_PRCTL
;
355 case SPECTRE_V2_USER_CMD_AUTO
:
356 case SPECTRE_V2_USER_CMD_SECCOMP
:
357 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB
:
358 if (IS_ENABLED(CONFIG_SECCOMP
))
359 mode
= SPECTRE_V2_USER_SECCOMP
;
361 mode
= SPECTRE_V2_USER_PRCTL
;
366 * At this point, an STIBP mode other than "off" has been set.
367 * If STIBP support is not being forced, check if STIBP always-on
370 if (mode
!= SPECTRE_V2_USER_STRICT
&&
371 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON
))
372 mode
= SPECTRE_V2_USER_STRICT_PREFERRED
;
374 /* Initialize Indirect Branch Prediction Barrier */
375 if (boot_cpu_has(X86_FEATURE_IBPB
)) {
376 setup_force_cpu_cap(X86_FEATURE_USE_IBPB
);
379 case SPECTRE_V2_USER_CMD_FORCE
:
380 case SPECTRE_V2_USER_CMD_PRCTL_IBPB
:
381 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB
:
382 static_branch_enable(&switch_mm_always_ibpb
);
384 case SPECTRE_V2_USER_CMD_PRCTL
:
385 case SPECTRE_V2_USER_CMD_AUTO
:
386 case SPECTRE_V2_USER_CMD_SECCOMP
:
387 static_branch_enable(&switch_mm_cond_ibpb
);
393 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
394 static_key_enabled(&switch_mm_always_ibpb
) ?
395 "always-on" : "conditional");
398 /* If enhanced IBRS is enabled no STIBP required */
399 if (spectre_v2_enabled
== SPECTRE_V2_IBRS_ENHANCED
)
403 * If SMT is not possible or STIBP is not available clear the STIBP
406 if (!smt_possible
|| !boot_cpu_has(X86_FEATURE_STIBP
))
407 mode
= SPECTRE_V2_USER_NONE
;
409 spectre_v2_user
= mode
;
410 /* Only print the STIBP mode when SMT possible */
412 pr_info("%s\n", spectre_v2_user_strings
[mode
]);
415 static const char * const spectre_v2_strings
[] = {
416 [SPECTRE_V2_NONE
] = "Vulnerable",
417 [SPECTRE_V2_RETPOLINE_GENERIC
] = "Mitigation: Full generic retpoline",
418 [SPECTRE_V2_RETPOLINE_AMD
] = "Mitigation: Full AMD retpoline",
419 [SPECTRE_V2_IBRS_ENHANCED
] = "Mitigation: Enhanced IBRS",
422 static const struct {
424 enum spectre_v2_mitigation_cmd cmd
;
426 } mitigation_options
[] __initdata
= {
427 { "off", SPECTRE_V2_CMD_NONE
, false },
428 { "on", SPECTRE_V2_CMD_FORCE
, true },
429 { "retpoline", SPECTRE_V2_CMD_RETPOLINE
, false },
430 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD
, false },
431 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC
, false },
432 { "auto", SPECTRE_V2_CMD_AUTO
, false },
435 static void __init
spec_v2_print_cond(const char *reason
, bool secure
)
437 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2
) != secure
)
438 pr_info("%s selected on command line.\n", reason
);
441 static enum spectre_v2_mitigation_cmd __init
spectre_v2_parse_cmdline(void)
443 enum spectre_v2_mitigation_cmd cmd
= SPECTRE_V2_CMD_AUTO
;
447 if (cmdline_find_option_bool(boot_command_line
, "nospectre_v2"))
448 return SPECTRE_V2_CMD_NONE
;
450 ret
= cmdline_find_option(boot_command_line
, "spectre_v2", arg
, sizeof(arg
));
452 return SPECTRE_V2_CMD_AUTO
;
454 for (i
= 0; i
< ARRAY_SIZE(mitigation_options
); i
++) {
455 if (!match_option(arg
, ret
, mitigation_options
[i
].option
))
457 cmd
= mitigation_options
[i
].cmd
;
461 if (i
>= ARRAY_SIZE(mitigation_options
)) {
462 pr_err("unknown option (%s). Switching to AUTO select\n", arg
);
463 return SPECTRE_V2_CMD_AUTO
;
466 if ((cmd
== SPECTRE_V2_CMD_RETPOLINE
||
467 cmd
== SPECTRE_V2_CMD_RETPOLINE_AMD
||
468 cmd
== SPECTRE_V2_CMD_RETPOLINE_GENERIC
) &&
469 !IS_ENABLED(CONFIG_RETPOLINE
)) {
470 pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options
[i
].option
);
471 return SPECTRE_V2_CMD_AUTO
;
474 if (cmd
== SPECTRE_V2_CMD_RETPOLINE_AMD
&&
475 boot_cpu_data
.x86_vendor
!= X86_VENDOR_AMD
) {
476 pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n");
477 return SPECTRE_V2_CMD_AUTO
;
480 spec_v2_print_cond(mitigation_options
[i
].option
,
481 mitigation_options
[i
].secure
);
485 static void __init
spectre_v2_select_mitigation(void)
487 enum spectre_v2_mitigation_cmd cmd
= spectre_v2_parse_cmdline();
488 enum spectre_v2_mitigation mode
= SPECTRE_V2_NONE
;
491 * If the CPU is not affected and the command line mode is NONE or AUTO
492 * then nothing to do.
494 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2
) &&
495 (cmd
== SPECTRE_V2_CMD_NONE
|| cmd
== SPECTRE_V2_CMD_AUTO
))
499 case SPECTRE_V2_CMD_NONE
:
502 case SPECTRE_V2_CMD_FORCE
:
503 case SPECTRE_V2_CMD_AUTO
:
504 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED
)) {
505 mode
= SPECTRE_V2_IBRS_ENHANCED
;
506 /* Force it so VMEXIT will restore correctly */
507 x86_spec_ctrl_base
|= SPEC_CTRL_IBRS
;
508 wrmsrl(MSR_IA32_SPEC_CTRL
, x86_spec_ctrl_base
);
509 goto specv2_set_mode
;
511 if (IS_ENABLED(CONFIG_RETPOLINE
))
514 case SPECTRE_V2_CMD_RETPOLINE_AMD
:
515 if (IS_ENABLED(CONFIG_RETPOLINE
))
518 case SPECTRE_V2_CMD_RETPOLINE_GENERIC
:
519 if (IS_ENABLED(CONFIG_RETPOLINE
))
520 goto retpoline_generic
;
522 case SPECTRE_V2_CMD_RETPOLINE
:
523 if (IS_ENABLED(CONFIG_RETPOLINE
))
527 pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!");
531 if (boot_cpu_data
.x86_vendor
== X86_VENDOR_AMD
) {
533 if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC
)) {
534 pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
535 goto retpoline_generic
;
537 mode
= SPECTRE_V2_RETPOLINE_AMD
;
538 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD
);
539 setup_force_cpu_cap(X86_FEATURE_RETPOLINE
);
542 mode
= SPECTRE_V2_RETPOLINE_GENERIC
;
543 setup_force_cpu_cap(X86_FEATURE_RETPOLINE
);
547 spectre_v2_enabled
= mode
;
548 pr_info("%s\n", spectre_v2_strings
[mode
]);
551 * If spectre v2 protection has been enabled, unconditionally fill
552 * RSB during a context switch; this protects against two independent
555 * - RSB underflow (and switch to BTB) on Skylake+
556 * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
558 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW
);
559 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
562 * Retpoline means the kernel is safe because it has no indirect
563 * branches. Enhanced IBRS protects firmware too, so, enable restricted
564 * speculation around firmware calls only when Enhanced IBRS isn't
567 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
568 * the user might select retpoline on the kernel command line and if
569 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
570 * enable IBRS around firmware calls.
572 if (boot_cpu_has(X86_FEATURE_IBRS
) && mode
!= SPECTRE_V2_IBRS_ENHANCED
) {
573 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW
);
574 pr_info("Enabling Restricted Speculation for firmware calls\n");
577 /* Set up IBPB and STIBP depending on the general spectre V2 command */
578 spectre_v2_user_select_mitigation(cmd
);
580 /* Enable STIBP if appropriate */
584 static void update_stibp_msr(void * __unused
)
586 wrmsrl(MSR_IA32_SPEC_CTRL
, x86_spec_ctrl_base
);
589 /* Update x86_spec_ctrl_base in case SMT state changed. */
590 static void update_stibp_strict(void)
592 u64 mask
= x86_spec_ctrl_base
& ~SPEC_CTRL_STIBP
;
594 if (sched_smt_active())
595 mask
|= SPEC_CTRL_STIBP
;
597 if (mask
== x86_spec_ctrl_base
)
600 pr_info("Update user space SMT mitigation: STIBP %s\n",
601 mask
& SPEC_CTRL_STIBP
? "always-on" : "off");
602 x86_spec_ctrl_base
= mask
;
603 on_each_cpu(update_stibp_msr
, NULL
, 1);
606 /* Update the static key controlling the evaluation of TIF_SPEC_IB */
607 static void update_indir_branch_cond(void)
609 if (sched_smt_active())
610 static_branch_enable(&switch_to_cond_stibp
);
612 static_branch_disable(&switch_to_cond_stibp
);
615 void arch_smt_update(void)
617 /* Enhanced IBRS implies STIBP. No update required. */
618 if (spectre_v2_enabled
== SPECTRE_V2_IBRS_ENHANCED
)
621 mutex_lock(&spec_ctrl_mutex
);
623 switch (spectre_v2_user
) {
624 case SPECTRE_V2_USER_NONE
:
626 case SPECTRE_V2_USER_STRICT
:
627 case SPECTRE_V2_USER_STRICT_PREFERRED
:
628 update_stibp_strict();
630 case SPECTRE_V2_USER_PRCTL
:
631 case SPECTRE_V2_USER_SECCOMP
:
632 update_indir_branch_cond();
636 mutex_unlock(&spec_ctrl_mutex
);
640 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
642 static enum ssb_mitigation ssb_mode __ro_after_init
= SPEC_STORE_BYPASS_NONE
;
644 /* The kernel command line selection */
645 enum ssb_mitigation_cmd
{
646 SPEC_STORE_BYPASS_CMD_NONE
,
647 SPEC_STORE_BYPASS_CMD_AUTO
,
648 SPEC_STORE_BYPASS_CMD_ON
,
649 SPEC_STORE_BYPASS_CMD_PRCTL
,
650 SPEC_STORE_BYPASS_CMD_SECCOMP
,
653 static const char * const ssb_strings
[] = {
654 [SPEC_STORE_BYPASS_NONE
] = "Vulnerable",
655 [SPEC_STORE_BYPASS_DISABLE
] = "Mitigation: Speculative Store Bypass disabled",
656 [SPEC_STORE_BYPASS_PRCTL
] = "Mitigation: Speculative Store Bypass disabled via prctl",
657 [SPEC_STORE_BYPASS_SECCOMP
] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
660 static const struct {
662 enum ssb_mitigation_cmd cmd
;
663 } ssb_mitigation_options
[] __initdata
= {
664 { "auto", SPEC_STORE_BYPASS_CMD_AUTO
}, /* Platform decides */
665 { "on", SPEC_STORE_BYPASS_CMD_ON
}, /* Disable Speculative Store Bypass */
666 { "off", SPEC_STORE_BYPASS_CMD_NONE
}, /* Don't touch Speculative Store Bypass */
667 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL
}, /* Disable Speculative Store Bypass via prctl */
668 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP
}, /* Disable Speculative Store Bypass via prctl and seccomp */
671 static enum ssb_mitigation_cmd __init
ssb_parse_cmdline(void)
673 enum ssb_mitigation_cmd cmd
= SPEC_STORE_BYPASS_CMD_AUTO
;
677 if (cmdline_find_option_bool(boot_command_line
, "nospec_store_bypass_disable")) {
678 return SPEC_STORE_BYPASS_CMD_NONE
;
680 ret
= cmdline_find_option(boot_command_line
, "spec_store_bypass_disable",
683 return SPEC_STORE_BYPASS_CMD_AUTO
;
685 for (i
= 0; i
< ARRAY_SIZE(ssb_mitigation_options
); i
++) {
686 if (!match_option(arg
, ret
, ssb_mitigation_options
[i
].option
))
689 cmd
= ssb_mitigation_options
[i
].cmd
;
693 if (i
>= ARRAY_SIZE(ssb_mitigation_options
)) {
694 pr_err("unknown option (%s). Switching to AUTO select\n", arg
);
695 return SPEC_STORE_BYPASS_CMD_AUTO
;
702 static enum ssb_mitigation __init
__ssb_select_mitigation(void)
704 enum ssb_mitigation mode
= SPEC_STORE_BYPASS_NONE
;
705 enum ssb_mitigation_cmd cmd
;
707 if (!boot_cpu_has(X86_FEATURE_SSBD
))
710 cmd
= ssb_parse_cmdline();
711 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS
) &&
712 (cmd
== SPEC_STORE_BYPASS_CMD_NONE
||
713 cmd
== SPEC_STORE_BYPASS_CMD_AUTO
))
717 case SPEC_STORE_BYPASS_CMD_AUTO
:
718 case SPEC_STORE_BYPASS_CMD_SECCOMP
:
720 * Choose prctl+seccomp as the default mode if seccomp is
723 if (IS_ENABLED(CONFIG_SECCOMP
))
724 mode
= SPEC_STORE_BYPASS_SECCOMP
;
726 mode
= SPEC_STORE_BYPASS_PRCTL
;
728 case SPEC_STORE_BYPASS_CMD_ON
:
729 mode
= SPEC_STORE_BYPASS_DISABLE
;
731 case SPEC_STORE_BYPASS_CMD_PRCTL
:
732 mode
= SPEC_STORE_BYPASS_PRCTL
;
734 case SPEC_STORE_BYPASS_CMD_NONE
:
739 * We have three CPU feature flags that are in play here:
740 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
741 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
742 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
744 if (mode
== SPEC_STORE_BYPASS_DISABLE
) {
745 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE
);
747 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
748 * use a completely different MSR and bit dependent on family.
750 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD
) &&
751 !static_cpu_has(X86_FEATURE_AMD_SSBD
)) {
752 x86_amd_ssb_disable();
754 x86_spec_ctrl_base
|= SPEC_CTRL_SSBD
;
755 x86_spec_ctrl_mask
|= SPEC_CTRL_SSBD
;
756 wrmsrl(MSR_IA32_SPEC_CTRL
, x86_spec_ctrl_base
);
763 static void ssb_select_mitigation(void)
765 ssb_mode
= __ssb_select_mitigation();
767 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS
))
768 pr_info("%s\n", ssb_strings
[ssb_mode
]);
772 #define pr_fmt(fmt) "Speculation prctl: " fmt
774 static void task_update_spec_tif(struct task_struct
*tsk
)
776 /* Force the update of the real TIF bits */
777 set_tsk_thread_flag(tsk
, TIF_SPEC_FORCE_UPDATE
);
780 * Immediately update the speculation control MSRs for the current
781 * task, but for a non-current task delay setting the CPU
782 * mitigation until it is scheduled next.
784 * This can only happen for SECCOMP mitigation. For PRCTL it's
785 * always the current task.
788 speculation_ctrl_update_current();
791 static int ssb_prctl_set(struct task_struct
*task
, unsigned long ctrl
)
793 if (ssb_mode
!= SPEC_STORE_BYPASS_PRCTL
&&
794 ssb_mode
!= SPEC_STORE_BYPASS_SECCOMP
)
799 /* If speculation is force disabled, enable is not allowed */
800 if (task_spec_ssb_force_disable(task
))
802 task_clear_spec_ssb_disable(task
);
803 task_update_spec_tif(task
);
805 case PR_SPEC_DISABLE
:
806 task_set_spec_ssb_disable(task
);
807 task_update_spec_tif(task
);
809 case PR_SPEC_FORCE_DISABLE
:
810 task_set_spec_ssb_disable(task
);
811 task_set_spec_ssb_force_disable(task
);
812 task_update_spec_tif(task
);
820 static int ib_prctl_set(struct task_struct
*task
, unsigned long ctrl
)
824 if (spectre_v2_user
== SPECTRE_V2_USER_NONE
)
827 * Indirect branch speculation is always disabled in strict
830 if (spectre_v2_user
== SPECTRE_V2_USER_STRICT
||
831 spectre_v2_user
== SPECTRE_V2_USER_STRICT_PREFERRED
)
833 task_clear_spec_ib_disable(task
);
834 task_update_spec_tif(task
);
836 case PR_SPEC_DISABLE
:
837 case PR_SPEC_FORCE_DISABLE
:
839 * Indirect branch speculation is always allowed when
840 * mitigation is force disabled.
842 if (spectre_v2_user
== SPECTRE_V2_USER_NONE
)
844 if (spectre_v2_user
== SPECTRE_V2_USER_STRICT
||
845 spectre_v2_user
== SPECTRE_V2_USER_STRICT_PREFERRED
)
847 task_set_spec_ib_disable(task
);
848 if (ctrl
== PR_SPEC_FORCE_DISABLE
)
849 task_set_spec_ib_force_disable(task
);
850 task_update_spec_tif(task
);
858 int arch_prctl_spec_ctrl_set(struct task_struct
*task
, unsigned long which
,
862 case PR_SPEC_STORE_BYPASS
:
863 return ssb_prctl_set(task
, ctrl
);
864 case PR_SPEC_INDIRECT_BRANCH
:
865 return ib_prctl_set(task
, ctrl
);
871 #ifdef CONFIG_SECCOMP
872 void arch_seccomp_spec_mitigate(struct task_struct
*task
)
874 if (ssb_mode
== SPEC_STORE_BYPASS_SECCOMP
)
875 ssb_prctl_set(task
, PR_SPEC_FORCE_DISABLE
);
876 if (spectre_v2_user
== SPECTRE_V2_USER_SECCOMP
)
877 ib_prctl_set(task
, PR_SPEC_FORCE_DISABLE
);
881 static int ssb_prctl_get(struct task_struct
*task
)
884 case SPEC_STORE_BYPASS_DISABLE
:
885 return PR_SPEC_DISABLE
;
886 case SPEC_STORE_BYPASS_SECCOMP
:
887 case SPEC_STORE_BYPASS_PRCTL
:
888 if (task_spec_ssb_force_disable(task
))
889 return PR_SPEC_PRCTL
| PR_SPEC_FORCE_DISABLE
;
890 if (task_spec_ssb_disable(task
))
891 return PR_SPEC_PRCTL
| PR_SPEC_DISABLE
;
892 return PR_SPEC_PRCTL
| PR_SPEC_ENABLE
;
894 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS
))
895 return PR_SPEC_ENABLE
;
896 return PR_SPEC_NOT_AFFECTED
;
900 static int ib_prctl_get(struct task_struct
*task
)
902 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2
))
903 return PR_SPEC_NOT_AFFECTED
;
905 switch (spectre_v2_user
) {
906 case SPECTRE_V2_USER_NONE
:
907 return PR_SPEC_ENABLE
;
908 case SPECTRE_V2_USER_PRCTL
:
909 case SPECTRE_V2_USER_SECCOMP
:
910 if (task_spec_ib_force_disable(task
))
911 return PR_SPEC_PRCTL
| PR_SPEC_FORCE_DISABLE
;
912 if (task_spec_ib_disable(task
))
913 return PR_SPEC_PRCTL
| PR_SPEC_DISABLE
;
914 return PR_SPEC_PRCTL
| PR_SPEC_ENABLE
;
915 case SPECTRE_V2_USER_STRICT
:
916 case SPECTRE_V2_USER_STRICT_PREFERRED
:
917 return PR_SPEC_DISABLE
;
919 return PR_SPEC_NOT_AFFECTED
;
923 int arch_prctl_spec_ctrl_get(struct task_struct
*task
, unsigned long which
)
926 case PR_SPEC_STORE_BYPASS
:
927 return ssb_prctl_get(task
);
928 case PR_SPEC_INDIRECT_BRANCH
:
929 return ib_prctl_get(task
);
935 void x86_spec_ctrl_setup_ap(void)
937 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL
))
938 wrmsrl(MSR_IA32_SPEC_CTRL
, x86_spec_ctrl_base
);
940 if (ssb_mode
== SPEC_STORE_BYPASS_DISABLE
)
941 x86_amd_ssb_disable();
945 #define pr_fmt(fmt) "L1TF: " fmt
947 /* Default mitigation for L1TF-affected CPUs */
948 enum l1tf_mitigations l1tf_mitigation __ro_after_init
= L1TF_MITIGATION_FLUSH
;
949 #if IS_ENABLED(CONFIG_KVM_INTEL)
950 EXPORT_SYMBOL_GPL(l1tf_mitigation
);
952 enum vmx_l1d_flush_state l1tf_vmx_mitigation
= VMENTER_L1D_FLUSH_AUTO
;
953 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation
);
957 * These CPUs all support 44bits physical address space internally in the
958 * cache but CPUID can report a smaller number of physical address bits.
960 * The L1TF mitigation uses the top most address bit for the inversion of
961 * non present PTEs. When the installed memory reaches into the top most
962 * address bit due to memory holes, which has been observed on machines
963 * which report 36bits physical address bits and have 32G RAM installed,
964 * then the mitigation range check in l1tf_select_mitigation() triggers.
965 * This is a false positive because the mitigation is still possible due to
966 * the fact that the cache uses 44bit internally. Use the cache bits
967 * instead of the reported physical bits and adjust them on the affected
968 * machines to 44bit if the reported bits are less than 44.
970 static void override_cache_bits(struct cpuinfo_x86
*c
)
975 switch (c
->x86_model
) {
976 case INTEL_FAM6_NEHALEM
:
977 case INTEL_FAM6_WESTMERE
:
978 case INTEL_FAM6_SANDYBRIDGE
:
979 case INTEL_FAM6_IVYBRIDGE
:
980 case INTEL_FAM6_HASWELL_CORE
:
981 case INTEL_FAM6_HASWELL_ULT
:
982 case INTEL_FAM6_HASWELL_GT3E
:
983 case INTEL_FAM6_BROADWELL_CORE
:
984 case INTEL_FAM6_BROADWELL_GT3E
:
985 case INTEL_FAM6_SKYLAKE_MOBILE
:
986 case INTEL_FAM6_SKYLAKE_DESKTOP
:
987 case INTEL_FAM6_KABYLAKE_MOBILE
:
988 case INTEL_FAM6_KABYLAKE_DESKTOP
:
989 if (c
->x86_cache_bits
< 44)
990 c
->x86_cache_bits
= 44;
995 static void __init
l1tf_select_mitigation(void)
999 if (!boot_cpu_has_bug(X86_BUG_L1TF
))
1002 override_cache_bits(&boot_cpu_data
);
1004 switch (l1tf_mitigation
) {
1005 case L1TF_MITIGATION_OFF
:
1006 case L1TF_MITIGATION_FLUSH_NOWARN
:
1007 case L1TF_MITIGATION_FLUSH
:
1009 case L1TF_MITIGATION_FLUSH_NOSMT
:
1010 case L1TF_MITIGATION_FULL
:
1011 cpu_smt_disable(false);
1013 case L1TF_MITIGATION_FULL_FORCE
:
1014 cpu_smt_disable(true);
1018 #if CONFIG_PGTABLE_LEVELS == 2
1019 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
1023 half_pa
= (u64
)l1tf_pfn_limit() << PAGE_SHIFT
;
1024 if (e820__mapped_any(half_pa
, ULLONG_MAX
- half_pa
, E820_TYPE_RAM
)) {
1025 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
1026 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
1028 pr_info("However, doing so will make a part of your RAM unusable.\n");
1029 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html might help you decide.\n");
1033 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV
);
1036 static int __init
l1tf_cmdline(char *str
)
1038 if (!boot_cpu_has_bug(X86_BUG_L1TF
))
1044 if (!strcmp(str
, "off"))
1045 l1tf_mitigation
= L1TF_MITIGATION_OFF
;
1046 else if (!strcmp(str
, "flush,nowarn"))
1047 l1tf_mitigation
= L1TF_MITIGATION_FLUSH_NOWARN
;
1048 else if (!strcmp(str
, "flush"))
1049 l1tf_mitigation
= L1TF_MITIGATION_FLUSH
;
1050 else if (!strcmp(str
, "flush,nosmt"))
1051 l1tf_mitigation
= L1TF_MITIGATION_FLUSH_NOSMT
;
1052 else if (!strcmp(str
, "full"))
1053 l1tf_mitigation
= L1TF_MITIGATION_FULL
;
1054 else if (!strcmp(str
, "full,force"))
1055 l1tf_mitigation
= L1TF_MITIGATION_FULL_FORCE
;
1059 early_param("l1tf", l1tf_cmdline
);
1065 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
1067 #if IS_ENABLED(CONFIG_KVM_INTEL)
1068 static const char * const l1tf_vmx_states
[] = {
1069 [VMENTER_L1D_FLUSH_AUTO
] = "auto",
1070 [VMENTER_L1D_FLUSH_NEVER
] = "vulnerable",
1071 [VMENTER_L1D_FLUSH_COND
] = "conditional cache flushes",
1072 [VMENTER_L1D_FLUSH_ALWAYS
] = "cache flushes",
1073 [VMENTER_L1D_FLUSH_EPT_DISABLED
] = "EPT disabled",
1074 [VMENTER_L1D_FLUSH_NOT_REQUIRED
] = "flush not necessary"
1077 static ssize_t
l1tf_show_state(char *buf
)
1079 if (l1tf_vmx_mitigation
== VMENTER_L1D_FLUSH_AUTO
)
1080 return sprintf(buf
, "%s\n", L1TF_DEFAULT_MSG
);
1082 if (l1tf_vmx_mitigation
== VMENTER_L1D_FLUSH_EPT_DISABLED
||
1083 (l1tf_vmx_mitigation
== VMENTER_L1D_FLUSH_NEVER
&&
1084 sched_smt_active())) {
1085 return sprintf(buf
, "%s; VMX: %s\n", L1TF_DEFAULT_MSG
,
1086 l1tf_vmx_states
[l1tf_vmx_mitigation
]);
1089 return sprintf(buf
, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG
,
1090 l1tf_vmx_states
[l1tf_vmx_mitigation
],
1091 sched_smt_active() ? "vulnerable" : "disabled");
1094 static ssize_t
l1tf_show_state(char *buf
)
1096 return sprintf(buf
, "%s\n", L1TF_DEFAULT_MSG
);
1100 static char *stibp_state(void)
1102 if (spectre_v2_enabled
== SPECTRE_V2_IBRS_ENHANCED
)
1105 switch (spectre_v2_user
) {
1106 case SPECTRE_V2_USER_NONE
:
1107 return ", STIBP: disabled";
1108 case SPECTRE_V2_USER_STRICT
:
1109 return ", STIBP: forced";
1110 case SPECTRE_V2_USER_STRICT_PREFERRED
:
1111 return ", STIBP: always-on";
1112 case SPECTRE_V2_USER_PRCTL
:
1113 case SPECTRE_V2_USER_SECCOMP
:
1114 if (static_key_enabled(&switch_to_cond_stibp
))
1115 return ", STIBP: conditional";
1120 static char *ibpb_state(void)
1122 if (boot_cpu_has(X86_FEATURE_IBPB
)) {
1123 if (static_key_enabled(&switch_mm_always_ibpb
))
1124 return ", IBPB: always-on";
1125 if (static_key_enabled(&switch_mm_cond_ibpb
))
1126 return ", IBPB: conditional";
1127 return ", IBPB: disabled";
1132 static ssize_t
cpu_show_common(struct device
*dev
, struct device_attribute
*attr
,
1133 char *buf
, unsigned int bug
)
1135 if (!boot_cpu_has_bug(bug
))
1136 return sprintf(buf
, "Not affected\n");
1139 case X86_BUG_CPU_MELTDOWN
:
1140 if (boot_cpu_has(X86_FEATURE_PTI
))
1141 return sprintf(buf
, "Mitigation: PTI\n");
1145 case X86_BUG_SPECTRE_V1
:
1146 return sprintf(buf
, "Mitigation: __user pointer sanitization\n");
1148 case X86_BUG_SPECTRE_V2
:
1149 return sprintf(buf
, "%s%s%s%s%s%s\n", spectre_v2_strings
[spectre_v2_enabled
],
1151 boot_cpu_has(X86_FEATURE_USE_IBRS_FW
) ? ", IBRS_FW" : "",
1153 boot_cpu_has(X86_FEATURE_RSB_CTXSW
) ? ", RSB filling" : "",
1154 spectre_v2_module_string());
1156 case X86_BUG_SPEC_STORE_BYPASS
:
1157 return sprintf(buf
, "%s\n", ssb_strings
[ssb_mode
]);
1160 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV
))
1161 return l1tf_show_state(buf
);
1167 return sprintf(buf
, "Vulnerable\n");
1170 ssize_t
cpu_show_meltdown(struct device
*dev
, struct device_attribute
*attr
, char *buf
)
1172 return cpu_show_common(dev
, attr
, buf
, X86_BUG_CPU_MELTDOWN
);
1175 ssize_t
cpu_show_spectre_v1(struct device
*dev
, struct device_attribute
*attr
, char *buf
)
1177 return cpu_show_common(dev
, attr
, buf
, X86_BUG_SPECTRE_V1
);
1180 ssize_t
cpu_show_spectre_v2(struct device
*dev
, struct device_attribute
*attr
, char *buf
)
1182 return cpu_show_common(dev
, attr
, buf
, X86_BUG_SPECTRE_V2
);
1185 ssize_t
cpu_show_spec_store_bypass(struct device
*dev
, struct device_attribute
*attr
, char *buf
)
1187 return cpu_show_common(dev
, attr
, buf
, X86_BUG_SPEC_STORE_BYPASS
);
1190 ssize_t
cpu_show_l1tf(struct device
*dev
, struct device_attribute
*attr
, char *buf
)
1192 return cpu_show_common(dev
, attr
, buf
, X86_BUG_L1TF
);